b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Inspections\n\n\n\n\nInterim Inspection Report\n\nInspection of Internal Controls Over Personal\nComputers at Los Alamos National Laboratory\n\n\n\n\nDOE/IG-0597                                 April 2003\n\x0c\x0c\x0cINSPECTION OF INTERNAL CONTROLS OVER PERSONAL\nCOMPUTERS AT LOS ALAMOS NATIONAL LABORATORY\n\nTABLE OF\nCONTENTS\n\n\n              OVERVIEW\n\n              Introduction and Objective                      1\n\n              Observations and Conclusions                    2\n\n              DETAILS OF FINDINGS                             3\n\n              Purchase Card Acquisitions\n              of Computers                                    3\n\n              Continued Use of Purchase Cards                 4\n\n              Discrepancies in List of Classified Computers   5\n\n              Unlocated Computers                             6\n\n              Reporting of Stolen Laptop Computers            7\n\n              Financial Liability                             7\n\n              Summary                                         7\n\n              RECOMMENDATIONS                                 8\n\n              MANAGEMENT COMMENTS                             8\n\n              INSPECTOR COMMENTS                              9\n\n              APPENDIX\n\n              A. Scope and Methodology                        10\n\n              B. Management Comments                          11\n\x0cOverview\n\nINTRODUCTION    Computers are used extensively in the full range of operations at\nAND OBJECTIVE   the Los Alamos National Laboratory (LANL), including processing\n                classified national security information. LANL reported an\n                inventory of approximately 5,000 laptop and 30,000 desktop\n                computers at the end of Fiscal Year (FY) 2002. Department of\n                Energy (DOE) and LANL property policies identify computers as\n                \xe2\x80\x9csensitive property,\xe2\x80\x9d due in part to their susceptibility to theft and\n                potential for conversion to cash. It is an expected practice that\n                management controls over computers throughout the DOE complex\n                remain robust and consistent.\n\n                The Office of Inspector General\xe2\x80\x99s recent Special Inquiry on\n                Operations at Los Alamos National Laboratory (DOE/IG-0584,\n                January 2003) reported inadequate or untimely analysis of, and\n                inquiry into, property loss or theft and security issues; a lack of\n                personal accountability for property; and inadequate controls over\n                property systems.\n\n                The objective of this inspection is to determine the adequacy of\n                internal controls over laptop and desktop computers at LANL.\n                While this interim report addresses some concerns relevant to\n                desktop computers, its primary focus is on accountability of laptop\n                computers. A broader assessment of controls over desktop and\n                laptop computers will be included in a subsequent report.\n\n\n\n\nPage 1                               Inspection of Internal Controls Over\n                                     Personal Computers at Los Alamos\n                                     National Laboratory\n\x0cOBSERVATIONS      We have determined through our field work to date, that internal\nAND CONCLUSIONS   controls over classified and unclassified laptop computers at\n                  LANL are inadequate. We identified control weaknesses that\n                  undermine confidence in LANL\xe2\x80\x99s ability to assure that laptop\n                  computers are appropriately controlled; are adequately safeguarded\n                  from loss or theft; and that laptop computers used to process and\n                  store classified information are controlled in accordance with\n                  existing security requirements.\n\n                  Specifically, we found that:\n\n                     \xe2\x80\xa2   The \xe2\x80\x9cpurchase card process\xe2\x80\x9d did not assure that required\n                         inventory controls were followed when new computers\n                         were purchased;\n\n                     \xe2\x80\xa2   Laptop and desktop computers were acquired using\n                         purchase cards after LANL prohibited such purchases\n                         without special authorization;\n\n                     \xe2\x80\xa2   LANL could not accurately account for its single user,\n                         stand-alone, classified laptop computers;\n\n                     \xe2\x80\xa2   Laptop computers reported as \xe2\x80\x9cunlocated\xe2\x80\x9d were written-off\n                         of the LANL Property Inventory without a formal inquiry;\n\n                     \xe2\x80\xa2   Thefts of laptop computers were sometimes not reported to\n                         the Office of Security Inquiries, as required; and,\n\n                     \xe2\x80\xa2   Employees were not held financially liable for the loss of\n                         their assigned Government computer(s) in accordance with\n                         LANL requirements.\n\n                  Additionally, there were indicators of similar problems regarding\n                  desktop computers.\n\n\n\n\nPage 2                                            Observations and Conclusions\n\x0cDetails of Findings\n\nPURCHASE CARD                    LANL\xe2\x80\x99s purchase card process1 did not assure that required\nACQUISITIONS OF                  inventory controls were followed when new computers were\nCOMPUTERS                        purchased.\n\nProperty Numbers                 We identified new computers that had not been assigned property\n                                 numbers within the LANL Property Inventory System and\n                                 instances where computer property numbers were not entered into\n                                 the LANL Purchase Card Database, as required. During FYs 2001\n                                 and 2002, LANL acquired approximately 1,093 new computers,\n                                 including laptops and desktops, using purchase cards. LANL\xe2\x80\x99s\n                                 property management policy identifies computers as \xe2\x80\x9csensitive\n                                 items.\xe2\x80\x9d As such, a property number must be assigned so that the\n                                 item can be tracked through LANL\xe2\x80\x99s Property Inventory System.\n                                 The property number assigned to all sensitive items acquired using\n                                 a purchase card must be entered into the Purchase Card Database.\n\n                                 The purchase card process requires all cardholders to inform the\n                                 appropriate Property Administrator when a sensitive item is\n                                 ordered. There are many Property Administrators at LANL. The\n                                 Property Administrator assigns a property number and provides a\n                                 bar-coded property tag. The Administrator then requests that the\n                                 Property Accounting Office activate the number within the LANL\n                                 Property Inventory System. The purchase card holder is\n                                 responsible for entering the assigned property number for the\n                                 acquired sensitive item into the Purchase Card Database.\n\n                                 We found instances where no property numbers were assigned to\n                                 computers. In other instances, we discovered that property\n                                 numbers were not assigned for more than a year after the computer\n                                 was acquired. We determined that the reason for these oversights\n                                 was that purchase card holders had not informed Property\n                                 Administrators of the computer purchases or that they had received\n                                 the shipment of computers. Property numbers were not assigned at\n                                 a central receiving point.\n\n                                 The Purchase Card Database did not contain a property number for\n                                 approximately 762 (70%) computers purchased during FYs 2001\n                                 and 2002. The requirement to include the property number in the\n                                 database serves to ensure that purchases of sensitive items and\n                                 equipment are subject to appropriate property controls.\n\n1\n  In December 2002, an External Review Team retained by LANL concluded that LANL\xe2\x80\x99s Purchase Card Program\nhad internal control weaknesses that left LANL vulnerable to fraud and abuse. The Team noted that there was a\nfailure in the Purchase Card Program to properly account for sensitive controlled property, which includes\ncomputers.\n\n\n\nPage 3                                                                                 Details of Findings\n\x0cInventory                          Computer purchases listed in LANL\xe2\x80\x99s Purchase Card Database\nReconciliation                     could not be reconciled with computers listed in LANL\xe2\x80\x99s Property\n                                   Inventory System, due to:\n\n                                       \xe2\x80\xa2    Inaccurate or incomplete descriptions of the computers;\n\n                                       \xe2\x80\xa2    Differences in cost entries for the same items listed in the\n                                            Purchase Card Database and the Property Inventory\n                                            System;\n\n                                       \xe2\x80\xa2    Purchase transactions of multiple computers with only one\n                                            assigned property number; and,\n\n                                       \xe2\x80\xa2    No property numbers or incorrect property numbers entered\n                                            into the Purchase Card Database.\n\n                                   Using a small sample of computers that were listed in the Purchase\n                                   Card Database without property numbers, we determined that 23\n                                   of 26 computers, in fact, had property numbers that had been\n                                   entered into the LANL Property Inventory System. However,\n                                   obtaining this information was accomplished with difficulty,\n                                   requiring interviews of purchase card holders, requesters, and\n                                   Property Custodians2.\n\nCONTINUED USE                      Laptop and desktop computers were acquired using purchase cards\nOF PURCHASE                        after LANL prohibited such purchases without special\nCARDS                              authorization. This occurred following a change in LANL policy\n                                   requiring such authorizations. A LANL memorandum changing\n                                   LANL purchase card use procedures, effective August 26, 2002,\n                                   states that all property-controlled items, which include sensitive\n                                   items such as laptop and desktop computers, may not be purchased\n                                   with purchase cards unless authorized and approved by the LANL\n                                   Property Manager or Deputy Property Manager.\n\n                                   Los Alamos officials asserted that purchase card holders were not\n                                   notified by management of these changes until September 11,\n                                   2002. During the period August 26 to September 11, 2002,\n                                   cardholders purchased 20 laptop and desktop computers. We\n                                   found that one laptop and one desktop computer were purchased\n                                   after September 11, 2002. The Deputy Property Manager advised\n                                   that no LANL employee had requested nor was granted approval\n\n2\n At the request of the Office of Inspector General, LANL is currently attempting to reconcile computers acquired\nby Purchase Cards with the LANL Property Inventory.\n\n\n\nPage 4                                                                                    Details of Findings\n\x0c                                    for the acquisition of a laptop computer using a purchase card after\n                                    August 26, 2002.\n\nDISCREPANCIES IN                    LANL could not accurately account for its single user, stand-alone\nLIST OF CLASSIFIED                  classified laptop computers. At our request, LANL\xe2\x80\x99s Office of\nCOMPUTERS                           Cyber Security provided a list of classified single user, stand-alone\n                                    laptop computers that we subsequently found was inaccurate. We\n                                    were told that the primary purpose of the Office of Cyber\n                                    Security\xe2\x80\x99s list was to identify the laptop computers that were\n                                    accredited for processing classified information. Accreditation is\n                                    the authorization by a designated approval authority that a\n                                    computer can be used to process classified information in a\n                                    specific environment, based on the computer meeting pre-specified\n                                    technical requirements for achieving adequate data security3.\n                                    Accreditation is required in accordance with DOE M 471.2-2.\n                                    During our inspection fieldwork, we identified laptop computers\n                                    that were not on the Office of Cyber Security\xe2\x80\x99s list, were not\n                                    accredited, and were being used to process classified information.\n                                    The use of a laptop computer to process classified information\n                                    before it is accredited circumvents the controls in place to ensure\n                                    that national security interests are protected.\n\n                                    We found the following discrepancies:\n\n                                        \xe2\x80\xa2    Four laptop computers being used for classified processing\n                                             were not on the Office of Cyber Security\xe2\x80\x99s list;\n\n                                        \xe2\x80\xa2    Two of the four laptop computers were not accredited;\n\n                                        \xe2\x80\xa2    One of those two unaccredited computers had been used to\n                                             process classified information for at least 1 \xc2\xbd years prior to\n                                             our fieldwork and identification of the problem (NOTE:\n                                             Upon learning of the accreditation issue regarding the\n                                             laptop computers, LANL officials took corrective action);\n\n                                        \xe2\x80\xa2    Four laptop computers on the Office of Cyber Security\xe2\x80\x99s\n                                             list were not on LANL\xe2\x80\x99s property inventory;\n\n                                        \xe2\x80\xa2    One laptop computer on the Office of Cyber Security\xe2\x80\x99s list\n                                             did not have a valid property number;\n\n\n3\n Accreditation of a laptop computer requires that it be operated under a current Classified Information Systems\nSecurity Plan within the responsibility of a Classified Information Systems Security Officer, or an Organizational\nComputer Security Representative.\n\n\n\nPage 5                                                                                      Details of Findings\n\x0c                                       \xe2\x80\xa2   Three laptop computers had been excessed, but were still\n                                           on the Office of Cyber Security\xe2\x80\x99s list; and\n\n                                       \xe2\x80\xa2   Two laptop computers on the Office of Cyber Security\xe2\x80\x99s\n                                           list were no longer being used for classified processing.\n                                           We learned that they should have been excessed.\n\n                                  We observed that these discrepancies could have been identified\n                                  by the Office of Cyber Security through a physical inventory of\n                                  classified laptop computers. LANL\xe2\x80\x99s Property Management\n                                  Manual requires that a physical inventory and reconciliation of\n                                  \xe2\x80\x9csensitive property numbered Government items\xe2\x80\x9d be conducted\n                                  annually. Office of Cyber Security officials advised us that\n                                  inventories are conducted using a self-assessment process,\n                                  whereby each division self-reports on its inventory of classified\n                                  media, including classified laptop computers. In view of the\n                                  discrepancies we identified, the self-assessment process for\n                                  conducting inventories of classified computers was not sufficient\n                                  to assure strict accountability for classified laptop computers.\n\nUNLOCATED                         Laptop computers reported as \xe2\x80\x9cunlocated\xe2\x80\x9d were written-off of the\nCOMPUTERS                         LANL Property Inventory without a formal inquiry. Unlocated\n                                  computers, while not specifically defined in LANL\xe2\x80\x99s property\n                                  policy, are defined by LANL as those that cannot be found\n                                  following a property inventory at the end of the fiscal year. For\n                                  FYs 2001 and 2002, LANL reported 22 laptop computers as\n                                  unlocated4. These computers were purchased at a cost of $80,778.\n                                  Although LANL\xe2\x80\x99s Office of Security Inquiries (OSI) conducted\n                                  inquiries into \xe2\x80\x9clost\xe2\x80\x9d and \xe2\x80\x9cstolen\xe2\x80\x9d items5, including laptop\n                                  computers, no formal inquiry was conducted on these \xe2\x80\x9cunlocated\xe2\x80\x9d\n                                  laptop computers.\n\n                                  For example, at the end of its FY 2002 inventory, Protection\n                                  Technology Los Alamos (PTLA), the physical security\n                                  subcontractor at LANL, identified four laptop computers as\n                                  unlocated. PTLA took action to have the four laptop computers,\n                                  which were purchased at a cost of $17,705, written-off of the\n                                  property inventory and no OSI inquiry was conducted. Aspects of\n                                  PTLA\xe2\x80\x99s mission are classified and highly sensitive. PTLA\n\n\n\n\n4\n  The January 2003 Office of Inspector General Special Inquiry reported that during FYs 2000, 2001, and 2002, 42\nlaptop computers purchased at a cost of $151,821 were lost, stolen, or unlocated.\n5\n  Prior to January 2002, OSI conducted inquiries of stolen items only.\n\n\n\nPage 6                                                                                   Details of Findings\n\x0c                                   officials advised that the computers were not used for classified\n                                   work.\n\nREPORTING OF                       Thefts of laptop computers were sometimes not reported to LANL\nSTOLEN LAPTOP                      OSI, as required6.\nCOMPUTERS\n                                   We determined that three stolen laptop computers at LANL were\n                                   not reported to OSI. The computers disappeared from a \xe2\x80\x9cdrop-\n                                   point\xe2\x80\x9d at Technical Area 54 in June 2001. OSI officials advised\n                                   that they had no record of this incident and had not conducted an\n                                   inquiry.\n\n                                   As early as November 1998, LANL\xe2\x80\x99s policy disallowed the use of\n                                   drop-points for delivery of laptop computers. Instead, policy\n                                   required that laptop computers be picked-up by the customer at the\n                                   Customer Service Center. We learned that this policy stemmed\n                                   from an understanding that the use of drop-points increased the\n                                   potential for theft.\n\nFINANCIAL                          LANL employees were not held financially liable for the loss\nLIABILITY                          of their assigned Government computers. In addition to the\n                                   22 unlocated laptop computers reported for FYs 2001 and 2002,\n                                   LANL reported 16 laptop computers, purchased at a cost of\n                                   $53,267, as lost; 10 laptop computers, purchased at a cost of\n                                   $32,899, as stolen; and 4 laptop computers, purchased at a cost of\n                                   $11,589, as possible theft.\n\n                                   The LANL Property Management Manual states that when\n                                   equipment is lost, damaged, destroyed, or stolen, the Government\n                                   may hold the property custodian financially liable for repair or\n                                   replacement if it is proven that the cause resulted from willful\n                                   misconduct or gross negligence. LANL\xe2\x80\x99s Property Manager,\n                                   Deputy Property Manager, and former Purchase Card\n                                   Administrator advised that for the past two fiscal years no one has\n                                   been held financially liable for any unlocated, lost, or stolen\n                                   computers.\n\nSUMMARY                            In our judgment, this review identified significant weaknesses in\n                                   LANL management controls over laptop computers. Laptop\n                                   computers have been acquired using purchase cards and were not\n                                   assigned property numbers or bar-code tags, or were delayed in\n                                   receiving such control numbers. Laptop computers not accredited\n\n\n6\n The January 2003 OIG Special Inquiry found that LANL had a substantial degree of dysfunction in its\ncommunication and assignment of responsibilities for the handling of property loss and theft concerns.\n\n\nPage 7                                                                                    Details of Findings\n\x0c                  to process classified information were, in fact, used to do so.\n                  Stolen laptop computers were not reported to appropriate\n                  authorities and computers reported as unlocated were written-off\n                  of the LANL property inventory without a formal inquiry.\n\n                  Because of these weaknesses, we were especially concerned about\n                  the control over classified, sensitive, and proprietary information.\n                  As a consequence, our findings and recommendations were\n                  referred to the Department\xe2\x80\x99s Offices of Counterintelligence and\n                  Independent Oversight and Performance Assurance and to the\n                  National Nuclear Security Administration\xe2\x80\x99s (NNSA\xe2\x80\x99s) Office of\n                  Defense Nuclear Counterintelligence for review and appropriate\n                  action.\n\nRECOMMENDATIONS   We recommend that the Manager, Los Alamos Site Office, take\n                  appropriate action to ensure that LANL:\n\n                  1. Officials take prompt action to ensure that all property and\n                     security policies regarding computers are fully implemented;\n\n                  2. Conduct a full and complete accounting of laptop computers at\n                     LANL and strengthen security controls over laptop computers\n                     used to process classified information;\n\n                  3. Purchase card holders adhere to LANL policies regarding the\n                     use of purchase cards for the acquisition of sensitive items, and\n                     that an appropriate system of checks and balances is\n                     implemented to ensure compliance;\n\n                  4. Officials initiate a formal inquiry when computers are reported\n                     as unlocated;\n\n                  5. Officials report all lost and stolen computers to the appropriate\n                     Laboratory organization; and\n\n                  6. Employees are held financially liable for lost, stolen, and\n                     unlocated computers, in accordance with the Laboratory\xe2\x80\x99s\n                     Property Management Manual.\n\nMANAGEMENT        Management, while not formally concurring, expressed general\nCOMMENTS          agreement with the report. Management stated that the issues\n                  presented in the report would be factored into the corrective action\n                  efforts currently underway by the University of California, Los\n\n\n\n\nPage 8                                                        Recommendations\n                                                           Management Comments\n\x0c            Alamos National Laboratory, Los Alamos Site Office, and\n            appropriate NNSA Headquarters staff offices.\n\nINSPECTOR   Management has acknowledged the existence of internal control\nCOMMENTS    weaknesses at LANL. During recent discussions with University\n            of California, LANL, and NNSA officials, management described\n            corrective actions being implemented to address the\n            recommendations in our report.\n\n\n\n\nPage 9                                               Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     The fieldwork portion for this interim report was conducted during\nMETHODOLOGY   the period December 2002 to March 2003. This review included\n              interviews with DOE officials from the Albuquerque Service\n              Center and officials from LANL, PTLA and other LANL\n              subcontractors. We reviewed applicable policies and procedures\n              pertaining to sensitive property and property management,\n              including:\n\n              \xe2\x80\xa2   Department of Energy Property Management Regulations,\n                  Title 41 Code of Federal Regulations, Chapter 109.\n\n              \xe2\x80\xa2   \xe2\x80\x9cLANL Property Management Manual.\xe2\x80\x9d\n\n              In addition, we conducted inventory verification of a judgmental\n              sample of laptop and desktop computers.\n\n              This inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 10                                              Scope and Methodology\n\x0cAppendix B\n\n\n\n\nPage 11      Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0597\n\n                           CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date __________________________\n\nTelephone                                     Organization ____________________\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'